#!/bin/sh
echo '制作CA私钥'
openssl genrsa -out ca.key 2048
echo '制作CA公钥/根证书'
echo 'Common Name 填写 root；其它可以填”.”'
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt


echo '制作服务器私钥'
openssl genrsa -out server.pem 1024
openssl rsa -in server.pem -out server.key
echo '生成签发请求'
echo 'Common Name填写uuid.v1，配置nginx时用到，不能与CA的相同 其它填写”.”'
openssl req -new -key server.pem -out server.csr
echo '用ca签发证书'
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out server.crt

echo '制作客户端证书'
openssl genrsa -out client.pem 1024
openssl rsa -in client.pem -out client.key 
echo '生成签发请求'
echo 'Common Name填写uuid.v1，配置nginx时用到，不能与CA的相同 其它填写”.”'
openssl req -new -key client.pem -out client.csr
echo '用CA签发'
openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out client.crt
echo '证书制作完毕'
# ls -l
# nginx -s reload
# curl --insecure --key ./client.key --cert ./client.crt 'https://uuid.v1'
echo '生成浏览器证书'
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12